Weird ‘hex’ (?) IP addresses in Apache access logs

gib · October 5, 2020, 7:04pm

My Apache web server access log has numerous odd-looking entries like these, wherein the IP address is either blank or in some highly variable format which I do not understand. Internet searches produce Russian output; hex decoders can’t make sense of it. I don’t have any other resources! Can anyone here tell me what these coded IP addresses mean? (Yes, I do get mostly normal-looking IPv4 and the occasional IPv6 IPs too…)

\xa0\x9a\x01\xfa\x80\x7f - - [06/Sep/2020:21:59:58 -0500] "GET /robots.txt HTTP/1.1" 301 239
\xa0\xaa\x80\xfb\x80\x7f - - [06/Sep/2020:21:59:58 -0500] "GET / HTTP/1.1" 301 229
\xa0\xaa\x80\xfb\x80\x7f - - [07/Sep/2020:08:00:29 -0500] "GET /admin/ HTTP/1.1" 301 235
\xa0\xaa\x80\xfb\x80\x7f - - [07/Sep/2020:08:00:29 -0500] "GET /robots.txt HTTP/1.0" 301 239
\xa0\xaa\x80\xfb\x80\x7f - - [08/Sep/2020:07:59:00 -0500] "GET /mount-failed.png HTTP/1.1" 301 245
\xa0\xaa\x80\xfb\x80\x7f - - [08/Sep/2020:07:59:00 -0500] "GET /small-low-res-screen.png HTTP/1.1" 301 253
\xa0\xe2\x06\xfb\x80\x7f - - [08/Sep/2020:08:02:12 -0500] "GET /mount-failed.png HTTP/1.1" 301 245
\xa0\xaa\x80\xfb\x80\x7f - - [09/Sep/2020:08:29:26 -0500] "GET /wp-login.php HTTP/1.1" 301 241
\xa0\xaa\x80\xfb\x80\x7f - - [09/Sep/2020:08:29:26 -0500] "GET / HTTP/1.1" 301 229
\xa0\xaa\x80\xfb\x80\x7f - - [09/Sep/2020:08:29:26 -0500] "GET /humans.txt HTTP/1.1" 301 239
\xa0\xe2\x06\xfb\x80\x7f - - [09/Sep/2020:08:29:26 -0500] "GET /robots.txt HTTP/1.1" 301 239
\xa0\xaa - - [12/Sep/2020:07:05:56 -0500] "GET /robots.txt HTTP/1.1" 301 239
\xa0t\x86\xfa\x80\x7f - - [12/Sep/2020:07:06:29 -0500] "GET /robots.txt HTTP/1.1" 301 239
\xa0\xe2\x06\xfb\x80\x7f - - [12/Sep/2020:07:06:29 -0500] "GET /sitemap_index.xml HTTP/1.1" 301 246
\xa0\xaa - - [12/Sep/2020:07:13:11 -0500] "GET / HTTP/1.1" 301 229
\xa0t\x86\xfa\x80\x7f - - [12/Sep/2020:07:13:11 -0500] "GET / HTTP/1.1" 301 229
\xa0\x9a\x01\xfa\x80\x7f - - [12/Sep/2020:07:13:11 -0500] "GET / HTTP/1.1" 301 229
\xa0t\x86\xfa\x80\x7f - - [12/Sep/2020:07:13:27 -0500] "GET /robots.txt HTTP/1.1" 301 239
\xa0\xaa - - [12/Sep/2020:07:14:01 -0500] "GET / HTTP/1.1" 301 229
\xa0\x9a\x01\xfa\x80\x7f - - [12/Sep/2020:07:15:21 -0500] "GET / HTTP/1.1" 301 229
 - - [21/Sep/2020:18:36:35 -0500] "GET / HTTP/1.0" 400 362

Thanks in advance for any insight you can offer. Cheers//Gib Henry

dstaal · October 11, 2020, 4:35pm

I think we’d need actual packet capture to see what’s going on here. My thought is that somehow fragmented packets are getting through to Apache - either that or someone is trying to crash the TCP/IP stack by putting garbage in the IP headers.